Stefano Zanero | 1 Mar 23:45 2008
Picon

Re: Obfuscated web pages

dxp wrote:
> You forgot to mention another good signature "Javascript_NOOP_Sled".  It
> used to provide decent detection about a year ago, now it's useless
> against obfuscated code.

And it was very easy to guess it would end like this.

Generic "shellcode" signatures worked only as long as the bad guys 
didn't get the point that they were substantially useless. Javascript is 
going down the same route. Amazing how things never change and how we 
love getting fscked always in the same way :)

> However, all these ISS Javascript script signatures have a very high
> False Positive rate.  Since you work for IBM perhaps you can get this
> across to the right people.

You cannot really do them "right", because the less false positives you 
generate, the less true positives you hit. You are better off just 
disabling such sigs.

My .02 EUR (which is close to .03USD these days)
Stefan

------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it 
with real-world attacks from CORE IMPACT.
Go to http://www.coresecurity.com/index.php5?module=Form&action=impact&campaign=intro_sfw 
(Continue reading)

Albert R. Campa | 14 Mar 17:40 2008
Picon

IPS/IDS location suggestions in Network.

ttp://uploader.futbolmex.net/files/1/network.JPG

 See link for Network design, design for redundancy and speed.

  these boxes are routers and links are 10gb.

  different network segements will be hanging off of the 4 routers at
the bottom.

  There will be an IPS higher up in the mix between the 2 top routers
  and the internets as well as other stuff.

  Main corporate network will be hanging off each of the 4 bottom switches.

  So the goal is to monitor internal traffic between 4 network segments.

  Idea of Cisco module IDS in the 2 top routers is scratched.

  So what about in-line IPS on each of the links between the 4 routers
and the 2?
  ISS has the GX6116 that runs at 6gb in filtering mode, 15gb non
filtering, hehe.
  Sourcefire just sent me an email about their 10gb solution, but I dont
  know if it has as many ports as the ISS box.

  Is this even a good location for an inline IPS? It seems like the only
  place other than the boarder where I can get any concentrated traffic,
  but at the border I cant get internal traffic.

  Any suggestions?
(Continue reading)

Gleb Paharenko | 18 Mar 21:41 2008
Picon

Re: IPS/IDS location suggestions in Network.

Hi.

For a pity I do not have an experience in implementing IPS on 10g links,
however I've been researching IBM appliances (ISS+Proventia). In practice
they can not do the deep inspection by signature patterns in protocols
which is higher
than transport layer (i.e. checking for an exploit code) at even
several G speed. Not sure if they just skip checks for packets or it
will became a bottleneck in case you try to force all packets to be
checked. You should talk with IBM specialists what set of features
will be available on that speed.

2008/3/14, Albert R. Campa <abcampa <at> gmail.com>:
> ttp://uploader.futbolmex.net/files/1/network.JPG
>
>
>   See link for Network design, design for redundancy and speed.
>
>   these boxes are routers and links are 10gb.
>
>   different network segements will be hanging off of the 4 routers at
>  the bottom.
>
>   There will be an IPS higher up in the mix between the 2 top routers
>   and the internets as well as other stuff.
>
>   Main corporate network will be hanging off each of the 4 bottom switches.
>
>   So the goal is to monitor internal traffic between 4 network segments.
>
(Continue reading)

brian_smith | 24 Mar 22:40 2008
Picon

Re: IPS/IDS location suggestions in Network.

[Full disclosure: I work for TippingPoint]

Two other vendors that have 10G products are McAfee and TippingPoint. Both 
vendors have 10 gig
solutions.   I can't speak for MFE, SourceFire, or ISS, but I can say that 
TippingPoint has many customers
that run inline IPS up in the network where you indicate.  As a reality 
check, you should ask all vendors
for several references (maybe 5) that are running the device inline, high 
up in the network, and you
should call the references and see how it's going.  You learn a lot that 
sales won't volunteer (or will
offer up as FUD :-) talking to other customers.

        Brian Smith
        TippingPoint




"Albert R. Campa" <abcampa <at> gmail.com> 
Sent by: listbounce <at> securityfocus.com
03/14/2008 11:40 AM

To
focus-ids <at> securityfocus.com
cc

Subject
IPS/IDS location suggestions in Network.
(Continue reading)

Return C | 26 Mar 07:05 2008
Picon

rootkit and trojan hunting

all,
     i am developing a small host integrity scanner / checker, to hunt
rootkits and trojans. offcourse, i need to add more methods /
techniques to detect. I am currently hashing out important files like
kernel, /boot dir and System.map files. Is there any other possible
way to code it better and anyother suggestion would be really helpful
in my coding.

return C;

------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it 
with real-world attacks from CORE IMPACT.
Go to http://www.coresecurity.com/index.php5?module=Form&action=impact&campaign=intro_sfw 
to learn more.
------------------------------------------------------------------------

"Zow" Terry Brugger | 26 Mar 19:34 2008
Picon

Re: rootkit and trojan hunting

>      i am developing a small host integrity scanner / checker, to hunt
>  rootkits and trojans. offcourse, i need to add more methods /
>  techniques to detect. I am currently hashing out important files like
>  kernel, /boot dir and System.map files. Is there any other possible
>  way to code it better and anyother suggestion would be really helpful
>  in my coding.

Don't reinvent the wheel -- just use Tripwire.
http://sourceforge.net/projects/tripwire/ for the open source version,
or http://www.tripwire.com/products/ for the commercial version if you
need something beefier. Based on what you've said in your message, it
sounds like the open source version will work just fine.

Cheers,
Terry

------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it 
with real-world attacks from CORE IMPACT.
Go to http://www.coresecurity.com/index.php5?module=Form&action=impact&campaign=intro_sfw 
to learn more.
------------------------------------------------------------------------

Jeff D | 26 Mar 20:40 2008
Picon

Re: rootkit and trojan hunting

"Zow" Terry Brugger wrote:
>>      i am developing a small host integrity scanner / checker, to hunt
>>  rootkits and trojans. offcourse, i need to add more methods /
>>  techniques to detect. I am currently hashing out important files like
>>  kernel, /boot dir and System.map files. Is there any other possible
>>  way to code it better and anyother suggestion would be really helpful
>>  in my coding.
> 
> Don't reinvent the wheel -- just use Tripwire.
> http://sourceforge.net/projects/tripwire/ for the open source version,
> or http://www.tripwire.com/products/ for the commercial version if you
> need something beefier. Based on what you've said in your message, it
> sounds like the open source version will work just fine.
> 
> Cheers,
> Terry
> 

Also worth mentioning are aide http://sourceforge.net/projects/aide , 
which does file integrity checking ,  and rkhunter and lynis 
http://www.rootkit.nl/ , rkunter checks the system for rootkits and 
trojans and lynis checks for some configuration issues.

hth,
jeff

------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
(Continue reading)

oherrera | 27 Mar 03:36 2008
Picon

RE: rootkit and trojan hunting

Take a look at NIST's NSRL Project: http://www.nsrl.nist.gov/. They have
been doing this for several years now. 

However, observe the size of the database; whitelisting approach is not
efficient for what you want to achieve if you intend to provide a general
solution (i.e. something to be useful out-of-the-box for different users and
environments). 

Another approach being promoted by Microsoft and others is the use of
digital signatures in drivers and executables:
http://www.microsoft.com/whdc/winlogo/drvsign/kmsigning.mspx. Personally, I
think it is much better, but you need support from developers and many
companies don't digitally sign their software.

My suggestion: Let your software digitally sign every approved executable
and driver to create a baseline and check digital signatures before
execution, if it's not signed then don't allow it to run (actually it gets
more complicated with processes and executables calling each other, but you
get the idea). In each company the whitelist would be relatively small and
manageable.

Note that this approach would work well within companies with a well defined
software change control management and certification process, it is not
something that individual users will find useful for their computers unless
they have certain IT/security background and know what they are doing,
otherwise you know what happens: Ok->ok->next->next. Whitelisting requires
intervention by someone who knows what to do, that's the reason we still
rely on blacklisting approaches in these cases and I don't believe there's
much we can do about it. 

(Continue reading)

Nuno Treez | 27 Mar 12:11 2008
Picon

Re: rootkit and trojan hunting

Return C, have you looking about system call hooking or system call
table modifications?

>  Don't reinvent the wheel -- just use Tripwire.
>  http://sourceforge.net/projects/tripwire/ for the open source version,

(sigh) What about learning?

"Give a man a fish and you feed him for a day. Teach a man to fish and
you feed him for a lifetime." Chinese Proverb

--

-- 
Nuno Treez
--
Being a pain in the Internet's ass since 1996.
--
Si vis pacem, para bellum. (Vegetius, Epitome rei militaris, 3. Praef.)
--

------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it 
with real-world attacks from CORE IMPACT.
Go to http://www.coresecurity.com/index.php5?module=Form&action=impact&campaign=intro_sfw 
to learn more.
------------------------------------------------------------------------

(Continue reading)

"Zow" Terry Brugger | 27 Mar 18:26 2008
Picon

Re: rootkit and trojan hunting

>  >  Don't reinvent the wheel -- just use Tripwire.
>  >  http://sourceforge.net/projects/tripwire/ for the open source version,
>
>  (sigh) What about learning?
>
>  "Give a man a fish and you feed him for a day. Teach a man to fish and
>  you feed him for a lifetime." Chinese Proverb

I can't resist the retort: "Build a man a fire, you keep him warm for
a day. Set a man on fire and you keep him warm for the rest of his
life."

Seriously though, I will grant you the educational value of doing
something yourself, but in the security space, a lesson that is best
not learned the hard way is that building security software is hard.
Security critical software can be attacked in a lot of ways, and a
mature, well-known product has hopefully already addressed them. This
is usually most easily observed in the crypto space where someone
thinks they've come up with a great new way to encrypt data, but in
fact it's vulnerable to a attack that was well understood by
professional cryptographers years ago. Even developers who know what
they're doing make mistakes and we continue to find vulnerabilities in
mature products, as evidenced by the traffic on Bugtraq. One only
needs to read a couple issues of RISKS digest and CryptoGram to
understand this. The last thing I would want to see is this
enterprising programmer putting together this system, deploying it,
and then thinking they're safe; although, I will grant you that unless
an attacker had a particular interest in the system at hand, it's not
likely they'll think to look for and disable a custom-built integrity
verification system.
(Continue reading)


Gmane